#undef AFS_LARGEFILE_ENV
#undef AFS_NAMEI_ENV
#undef BITMAP_LATER
-#undef BOS_RESTRICTED_MODE
#undef FAST_RESTART
#undef FULL_LISTVOL_SWITCH
#undef COMPLETION_H_EXISTS
[AS_HELP_STRING([--disable-pam], [disable PAM support])],
,
[enable_pam="yes"])
-AC_ARG_ENABLE([bos-restricted-mode],
- [AS_HELP_STRING([--enable-bos-restricted-mode],
- [enable bosserver restricted mode which disables certain bosserver
- functionality])],
- ,
- [enable_bos_restricted_mode="no"])
AC_ARG_ENABLE([largefile-fileserver],
[AS_HELP_STRING([--disable-largefile-fileserver],
[disable large file support in fileserver])],
fi
fi
-if test "$enable_bos_restricted_mode" = "yes"; then
- AC_DEFINE(BOS_RESTRICTED_MODE, 1, [define if you want to want bos restricted mode])
-fi
-
if test "$enable_largefile_fileserver" = "yes"; then
AC_DEFINE(AFS_LARGEFILE_ENV, 1, [define if you want large file fileserver])
fi
=item *
Commands to set and verify server process and server machine status: B<bos
-getlog>, B<bos getrestart>, B<bos setauth>, B<bos setrestart>, and B<bos
-status>.
+getlog>, B<bos getrestart>, B<bos getrestricted>, B<bos setauth>,
+B<bos setrestart>, B<bos setrestricted> and B<bos status>.
=item *
L<bos_getdate(8)>,
L<bos_getlog(8)>,
L<bos_getrestart(8)>,
+L<bos_getrestricted(8)>,
L<bos_help(8)>,
L<bos_install(8)>,
L<bos_listhosts(8)>,
L<bos_setauth(8)>,
L<bos_setcellname(8)>,
L<bos_setrestart(8)>,
+L<bos_setrestricted(8)>,
L<bos_shutdown(8)>,
L<bos_start(8)>,
L<bos_startup(8)>,
machine as the local superuser C<root> if the B<-localauth> flag is
included.
+The B<bos create> command cannot be run against servers which are in
+restricted mode.
+
=head1 NOTES
If the B<-notifier> argument is included when this command is used to
machine as the local superuser C<root> if the B<-localauth> flag is
included.
+The B<bos delete> command cannot be run against servers which are in
+restricted mode.
+
=head1 SEE ALSO
L<BosConfig(5)>,
machine as the local superuser C<root> if the B<-localauth> flag is
included.
+The B<bos exec> command is not available on servers running in restricted
+mode.
+
=head1 SEE ALSO
L<bos(8)>
machine as the local superuser C<root> if the B<-localauth> flag is
included.
+When a server is in restricted mode, B<bos getlog> can only return the
+contents of the salvager's log.
+
=head1 SEE ALSO
L<bos(8)>
--- /dev/null
+=head1 NAME
+
+bos_getrestricted - Displays whether a bos server is restricted or not
+
+=head1 SYNOPSIS
+
+=for html
+<div class="synopsis">
+
+B<bos getrestricted> S<<< B<-server> <I<machine name>> >>> S<<< [B<-cell> <I<cell name>>] >>>
+ [B<-noauth>] [B<-localauth>] [B<-help>]
+
+=for html
+</div>
+
+=head1 DESCRIPTION
+
+The bos getrestricted command shows whether the server machine named by
+the B<-server> argument is running in restricted mode.
+
+Restricted mode limits access to certain bos commands. See
+L<bos_setrestricted(8)> for details of which commands are disabled by
+restricting a server.
+
+Use the B<bos setrestricted> command to restrict, or un-restrict, a server.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-server> <I<machine name>>
+
+Indicates the server machine for which to display the restart
+times. Identify the machine by IP address or its host name (either
+fully-qualified or abbreviated unambiguously). For details, see L<bos(8)>.
+
+=item B<-cell> <I<cell name>>
+
+Names the cell in which to run the command. Do not combine this argument
+with the B<-localauth> flag. For more details, see L<bos(8)>.
+
+=item B<-noauth>
+
+Assigns the unprivileged identity C<anonymous> to the issuer. Do not
+combine this flag with the B<-localauth> flag. For more details, see
+L<bos(8)>.
+
+=item B<-localauth>
+
+Constructs a server ticket using a key from the local
+F</usr/afs/etc/KeyFile> file. The B<bos> command interpreter presents the
+ticket to the BOS Server during mutual authentication. Do not combine this
+flag with the B<-cell> or B<-noauth> options. For more details, see
+L<bos(8)>.
+
+=item B<-help>
+
+Prints the online help for this command. All other valid options are
+ignored.
+
+=back
+
+=head1 OUTPUT
+
+The output consists of a single line
+
+ Restricted mode is <val>
+
+Where <val> is "on" or "off"
+
+=head1 PRIVILEGE REQUIRED
+
+None
+
+=head1 SEE ALSO
+
+L<KeyFile(5)>,
+L<bos(8)>,
+L<bos_setrestricted(8)>,
+
+=head1 COPYRIGHT
+
+Copyright 2009 Simon Wilkinson <simon@sxw.org.uk>
+
+This documentation is covered by the BSD License as written in the
+doc/LICENSE file. This man page was written by Simon Wilkinson for
+OpenAFS.
+
machine as the local superuser C<root> if the B<-localauth> flag is
included.
+The B<bos install> command cannot be run against servers which are in
+restricted mode.
+
=head1 SEE ALSO
L<BosConfig(5)>,
machine as the local superuser C<root> if the B<-localauth> flag is
included.
+The B<bos prune> command cannot be run against servers which are in
+restricted mode.
+
=head1 SEE ALSO
L<KeyFile(5)>,
--- /dev/null
+=head1 NAME
+
+bos_setrestricted - place a server in restricted mode
+
+=head1 SYNOPSIS
+
+=for html
+<div class="synopsis">
+
+B<bos setrestricted> S<<< B<-server> <I<machine name>> >>> S<<< B<-mode> 1 >>>
+ S<<< [B<-cell> <I<cell name>>] >>> [B<-noauth>] [B<-localauth>] [B<-help>]
+
+=for html
+</div>
+
+=head1 DESCRIPTION
+
+The B<bos restricted> command places the server in restricted mode. This
+mode increases the security of the bos server by removing access to a
+number of bos commands that are only used whilst configuring a system.
+
+When a server is in restricted mode, access to B<bos_exec>, B<bos uninstall>,
+B<bos install>, B<bos create>, B<bos install>, B<bos delete>, B<bos prune>
+is denied, and the use of B<bos getlog> is limited.
+
+=head1 CAUTIONS
+
+Once a server has been placed in restricted mode, it may not be opened up
+again using a remote command. That is, B<bos setrestricted> has no method
+of setting an unrestricted mode. Once a server is restricted, it can only
+be opened up again by sending it a SIGFPE, which must be done as root on
+the local machine.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-server> <I<machine name>>
+
+Indicates the server machine to restrict.
+
+=item B<-cell> <I<cell name>>
+
+Names the cell in which to run the command. Do not combine this argument
+with the B<-localauth> flag. For more details, see L<bos(8)>.
+
+=item B<-noauth>
+
+Assigns the unprivileged identity C<anonymous> to the issuer. Do not
+combine this flag with the B<-localauth> flag. For more details, see
+L<bos(8)>.
+
+=item B<-localauth>
+
+Constructs a server ticket using a key from the local
+F</usr/afs/etc/KeyFile> file. The B<bos> command interpreter presents the
+ticket to the BOS Server during mutual authentication. Do not combine this
+flag with the B<-cell> or B<-noauth> options. For more details, see
+L<bos(8)>.
+
+=item B<-help>
+
+Prints the online help for this command. All other valid options are
+ignored.
+
+=back
+
+=head1 PRIVILEGE REQUIRED
+
+The issuer must be listed in the F</usr/afs/etc/UserList> file on the
+machine named by the B<-server> argument, or must be logged in as the
+local superuser C<root> if the B<-localauth> flag is included.
+
+As noted above, this command cannot be run against servers which are
+already in restricted mode.
+
+=head1 SEE ALSO
+
+L<bos(8)>
+
+=head1 COPYRIGHT
+
+Copyright 2009 Simon wilkinson <simon@sxw.org.uk>
+
+This documentation is covered by the BSD License as written in the
+doc/LICENSE file. This man page was written by Simon Wilkinson for
+OpenAFS.
+
machine as the local superuser C<root> if the B<-localauth> flag is
included.
+The B<bos uninstall> command cannot be run against servers running in
+restricted mode.
+
=head1 SEE ALSO
L<BosConfig(5)>,
B<bosserver> [B<-noauth>] [B<-log>] [B<-enable_peer_stats>]
S<<< [B<-auditlog> <I<log path>>] >>> [B<-audit-interface> (file | sysvmq)]
- [B<-enable_process_stats>] [B<-allow-dotted-principals>] [B<-help>]
+ [B<-enable_process_stats>] [B<-allow-dotted-principals>]
+ [B<-restricted>] [B<-help>]
=for html
</div>
between principal names may disable this check by starting the server
with this option.
+=item B<-restricted>
+
+In normal operation, the bos server allows a super user to run any command.
+When the bos server is running in restricted mode (either due to this
+command line flag, or when configured by L<bos_setrestricted(8)>) a number
+of commands are unavailable. Note that this flag persists across reboots.
+Once a server has been placed in restricted mode, it can only be opened up
+by sending the SIGFPE signal.
+
=item B<-help>
Prints the online help for this command. All other valid options are
L<bos_getlog(8)>,
L<bos_getrestart(8)>,
L<bos_restart(8)>,
+L<bos_setrestricted(8)>,
L<bos_shutdown(8)>,
L<bos_start(8)>,
L<bos_startup(8)>,
return 0;
}
-#ifdef BOS_RESTRICTED_MODE
static int
GetRestrict(struct cmd_syndesc *as, void *arock)
{
printf("bos: failed to set restricted mode (%s)\n", em(code));
return 0;
}
-#endif
static void
add_std_args(register struct cmd_syndesc *ts)
cmd_AddParm(ts, "-newbinary", CMD_FLAG, CMD_OPTIONAL,
"set new binary restart time");
add_std_args(ts);
+ cmd_CreateAlias(ts, "setr");
ts = cmd_CreateSyntax("getrestart", GetRestartCmd, NULL,
"get restart times");
cmd_AddParm(ts, "-server", CMD_SINGLE, CMD_REQUIRED, "machine name");
add_std_args(ts);
+ cmd_CreateAlias(ts, "getr");
ts = cmd_CreateSyntax("salvage", SalvageCmd, NULL,
"salvage partition or volumes");
cmd_AddParm(ts, "-server", CMD_SINGLE, CMD_REQUIRED, "machine name");
add_std_args(ts);
-#ifdef BOS_RESTRICTED_MODE
ts = cmd_CreateSyntax("getrestricted", GetRestrict, NULL,
"get restrict mode");
cmd_AddParm(ts, "-server", CMD_SINGLE, 0, "machine name");
cmd_AddParm(ts, "-mode", CMD_SINGLE, 0, "mode to set");
add_std_args(ts);
#endif
-#endif
code = cmd_Dispatch(argc, argv);
rx_Finalize();
extern struct afsconf_dir *bozo_confdir;
extern int bozo_newKTs;
extern int DoLogging;
-#ifdef BOS_RESTRICTED_MODE
extern int bozo_isrestricted;
-#endif
afs_int32
SBOZO_GetRestartTime(struct rx_call *acall, afs_int32 atype, struct bozo_netKTime *aktime)
code = BZACCESS;
goto fail;
}
-#ifdef BOS_RESTRICTED_MODE
if (bozo_isrestricted) {
code = BZACCESS;
goto fail;
}
-#endif
if (DoLogging)
bozo_Log("%s is executing the shell command '%s'\n", caller, acmd);
osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END);
return code;
}
-#ifdef BOS_RESTRICTED_MODE
if (bozo_isrestricted) {
code = BZACCESS;
osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END);
return code;
}
-#endif
/* construct local path from canonical (wire-format) path */
if (ConstructLocalBinPath(aname, &filepath)) {
if (!afsconf_SuperUser(bozo_confdir, acall, caller))
return BZACCESS;
-#ifdef BOS_RESTRICTED_MODE
if (bozo_isrestricted)
return BZACCESS;
-#endif
/* construct local path from canonical (wire-format) path */
if (ConstructLocalBinPath(aname, &fpp)) {
code = BZACCESS;
goto fail;
}
-#ifdef BOS_RESTRICTED_MODE
if (bozo_isrestricted) {
if (strcmp(atype, "cron") || strcmp(ainstance, "salvage-tmp")
|| strcmp(ap2, "now")
goto fail;
}
}
-#endif
code =
bnode_Create(atype, ainstance, &tb, ap1, ap2, ap3, ap4, ap5, notifier,
code = BZACCESS;
goto fail;
}
-#ifdef BOS_RESTRICTED_MODE
if (bozo_isrestricted) {
code = BZACCESS;
goto fail;
}
-#endif
if (DoLogging)
bozo_Log("%s is executing DeleteBnode '%s'\n", caller, ainstance);
code = BZACCESS;
goto fail;
}
-#ifdef BOS_RESTRICTED_MODE
if (bozo_isrestricted) {
code = BZACCESS;
goto fail;
}
-#endif
if (DoLogging)
bozo_Log("%s is executing Prune (flags=%d)\n", caller, aflags);
code = BZACCESS;
goto fail;
}
-#ifdef BOS_RESTRICTED_MODE
if (bozo_isrestricted && strchr(aname, '/')
&& strcmp(aname, AFSDIR_CANONICAL_SERVER_SLVGLOG_FILEPATH)) {
code = BZACCESS;
goto fail;
}
-#endif
/* construct local path from canonical (wire-format) path */
if (ConstructLocalLogPath(aname, &logpath)) {
return BZNOENT;
}
-#ifdef BOS_RESTRICTED_MODE
afs_int32
SBOZO_GetRestrictedMode(struct rx_call *acall, afs_int32 *arestmode)
{
}
bozo_isrestricted = arestmode;
code = WriteBozoFile(0);
- fail:
- return code;
-}
-#else
-afs_int32
-SBOZO_GetRestrictedMode(struct rx_call *acall, afs_int32 *arestmode)
-{
- return RXGEN_OPCODE;
-}
-afs_int32
-SBOZO_SetRestrictedMode(struct rx_call *acall, afs_int32 arestmode)
-{
- return RXGEN_OPCODE;
+ return code;
}
-#endif
void *
bozo_ShutdownAndExit(void *param)
#define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
afs_uint32 SHostAddrs[ADDRSPERSITE];
-#ifdef BOS_RESTRICTED_MODE
int bozo_isrestricted = 0;
int bozo_restdisable = 0;
bozo_isrestricted = 0;
bozo_restdisable = 1;
}
-#endif
struct bztemp {
FILE *file;
afs_int32 i, goal;
struct bnode *tb;
char *parms[MAXPARMS];
-#ifdef BOS_RESTRICTED_MODE
int rmode;
-#endif
/* rename BozoInit to BosServer for the user */
if (!aname) {
bozo_nextDayKT.sec = ktsec;
continue;
}
-#ifdef BOS_RESTRICTED_MODE
+
if (strncmp(tbuffer, "restrictmode", 12) == 0) {
code = sscanf(tbuffer, "restrictmode %d", &rmode);
if (code != 1) {
bozo_isrestricted = rmode;
continue;
}
-#endif
if (strncmp("bnode", tbuffer, 5) != 0) {
code = -1;
if (!tfile)
return -1;
btemp.file = tfile;
-#ifdef BOS_RESTRICTED_MODE
+
fprintf(tfile, "restrictmode %d\n", bozo_isrestricted);
-#endif
fprintf(tfile, "restarttime %d %d %d %d %d\n", bozo_nextRestartKT.mask,
bozo_nextRestartKT.day, bozo_nextRestartKT.hour,
bozo_nextRestartKT.min, bozo_nextRestartKT.sec);
IOMGR_Sleep(60);
now = FT_ApproxTime();
-#ifdef BOS_RESTRICTED_MODE
if (bozo_restdisable) {
bozo_Log("Restricted mode disabled by signal\n");
bozo_restdisable = 0;
}
-#endif
+
if (bozo_newKTs) { /* need to recompute restart times */
bozo_newKTs = 0; /* done for a while */
nextRestart = ktime_next(&bozo_nextRestartKT, BOZO_MINSKIP);
sigaction(SIGABRT, &nsa, NULL);
#endif
osi_audit_init();
-#ifdef BOS_RESTRICTED_MODE
signal(SIGFPE, bozo_insecureme);
-#endif
#ifdef AFS_NT40_ENV
/* Initialize winsock */
} else if (strcmp(argv[code], "-enable_process_stats") == 0) {
rx_enableProcessRPCStats();
}
-#ifdef BOS_RESTRICTED_MODE
else if (strcmp(argv[code], "-restricted") == 0) {
bozo_isrestricted = 1;
}
-#endif
else if (strcmp(argv[code], "-rxbind") == 0) {
rxBind = 1;
}
/*#undef AFS_AFSDB_ENV*/
#define AFS_AFSDB_ENV 1
#undef AFS_NAMEI_ENV
-#define BOS_RESTRICTED_MODE
#undef FAST_RESTART
#undef BITMAP_LATER